In my wiregurad client config, I set the Permitted-Networks to 192.168.0.0/16 (just to be sure) - and the subnet-jump from 192.168.90.x to 88.x seems to work. Or maybe this only works because the "wireguard" interface is in the .90.x subnet and thus accessible...?
What am I missing here? Maybe someone can help me since I am struggling for a while now. Thanks a lot in advance.
Find my config below
# apr/15/2024 14:29:11 by RouterOS 7.8
# software id = EZFV-DY09
#
# model = CCR2004-1G-12S+2XS
# serial number = removed
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no name=wan-sfpplus1 \
speed=1Gbps
/interface wireguard
add listen-port=xxx name=wireguard-vpn
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.89.2-192.168.91.254
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=sfp-sfpplus3
add bridge=bridge1 interface=sfp-sfpplus4
add bridge=bridge1 interface=sfp-sfpplus5
add bridge=bridge1 interface=sfp-sfpplus6
add bridge=bridge1 interface=sfp-sfpplus7
add bridge=bridge1 interface=sfp-sfpplus8
add bridge=bridge1 interface=sfp-sfpplus9
add bridge=bridge1 interface=sfp-sfpplus10
add bridge=bridge1 interface=sfp-sfpplus11
add bridge=bridge1 interface=sfp-sfpplus12
add bridge=bridge1 interface=sfp28-1
add bridge=bridge1 interface=sfp28-2
add bridge=bridge1 disabled=yes interface=wan-sfpplus1
/interface detect-internet
set detect-interface-list=all internet-interface-list=WAN lan-interface-list=\
LAN wan-interface-list=WAN
/interface list member
add interface=wan-sfpplus1 list=WAN
add interface=bridge1 list=LAN
add interface=wireguard-vpn list=LAN
/interface wireguard peers
add allowed-address=192.168.90.100/32 comment=removed interface=\
wireguard-vpn public-key=removed
/ip address
add address=removed comment=defconf disabled=yes interface=wan-sfpplus1 \
network=removed
add address=192.168.88.1/22 interface=bridge1 network=192.168.88.0
add address=removed interface=wan-sfpplus1 network=removed
add address=192.168.90.10/24 interface=wireguard-vpn network=192.168.90.0
/ip dhcp-client
add disabled=yes interface=wan-sfpplus1
/ip dhcp-server config
set store-leases-disk=2h5m
/ip dhcp-server lease
add address=192.168.88.2 client-id=removed mac-address=\
removed server=dhcp1
add address=192.168.89.250 client-id=removed mac-address=\
removed server=dhcp1
/ip dhcp-server network
add address=0.0.0.0/24 dns-server=0.0.0.0 gateway=0.0.0.0 netmask=24
add address=192.168.88.0/22 dns-server=192.168.88.1 gateway=192.168.88.1 \
netmask=22
/ip dns
set allow-remote-requests=yes servers=removed
/ip firewall filter
add action=accept chain=input comment="WAN -> Firewall Wireguard Access" \
dst-port=xyz protocol=udp
add action=accept chain=input connection-state=established,related
add action=accept chain=input in-interface=bridge1
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward in-interface=bridge1
add action=accept chain=input comment="Allow Wireguard access" disabled=yes \
in-interface=wireguard-vpn
add action=accept chain=input disabled=yes dst-address=192.168.88.1 \
in-interface=wireguard-vpn
add action=accept chain=input dst-address=192.168.88.0/22 in-interface=\
wireguard-vpn
add action=drop chain=input
add action=accept chain=forward comment="Wireguard to LAN Access " \
dst-address=192.168.88.0/22 in-interface=wireguard-vpn out-interface=\
bridge1
add action=drop chain=forward
add action=log chain=input disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name= removed
/system routerboard settings
set enter-setup-on=delete-key